Facebook may not collect or combine personal data using “forced consent”, says German competition authority

It would be an understatement to say that Facebook is under intense scrutiny at the moment. Mostly this has come from data protection authorities in the EU, using the GDPR as a means for challenging Facebook’s business practices. But the attack has just broadened, with Germany’s competition authority, the Bundeskartellamt, issuing a ruling that strikes at the heart of Facebook’s business model.

Following a three-year investigation, the German competition authority has imposed a number of restrictions on Facebook. In the future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts. By combining data from its own site and from many others around the Internet, Facebook is able to build a uniquely powerful database for each individual user, and thus to gain market power. That market power is why the competition authority has intervened. According to the press release:

The company has a dominant position in the German market for social networks. With 23 million daily active users and 32 million monthly active users Facebook has a market share of more than 95% (daily active users) and more than 80% (monthly active users).

The Bundeskartellamt notes that Google is closing its own social network in April, and that Snapchat, YouTube, Twitter, LinkedIn and Xing only offer some elements of Facebook’s service, and therefore cannot be considered as true rivals or substitutes. According to Andreas Mundt, President of the Bundeskartellamt:

As a dominant company Facebook is subject to special obligations under competition law. In the operation of its business model the company must take into account that Facebook users practically cannot switch to other social networks. In view of Facebook’s superior market power, an obligatory tick on the box to agree to the company’s terms of use is not an adequate basis for such intensive data processing. The only choice the user has is either to accept the comprehensive combination of data or to refrain from using the social network. In such a difficult situation the user’s choice cannot be referred to as voluntary consent.

This is the issue of “forced consent” that led to Google being hit with the first big GDPR fine. In Germany, the competition authority is not imposing a fine, although it has warned it could do so if Facebook fails to comply with its ruling. Instead, it is imposing restrictions on how Facebook may gather and use personal data. It wants users to give voluntary, not forced, consent to data being collected and combined. In particular, if users do not consent, Facebook may not exclude them from its services and must not collect and merge data from different sources. That even applies to Facebook-owned services like WhatsApp and Instagram. These can collect data about their users, but in general may only pass that data to Facebook with the user’s voluntary consent.

As a concession, the Bundeskartellamt will allow Facebook to combine personal data from other sources if the data processing is “substantially restricted” according to the detailed background information on the ruling. The German authorities say there are “several possible options for a solution to this effect which Facebook must develop within the next four months and submit to the Bundeskartellamt”. Facebook has been given one month to appeal against the decision, which the company says it intends to do:

The Bundeskartellamt underestimates the fierce competition we face in Germany, misinterprets our compliance with GDPR and undermines the mechanisms European law provides for ensuring consistent data protection standards across the EU.

The order from the German competition authorities is a significant development in the continuing attempts by governments around the world to rein in powerful Internet companies like Facebook and Google, and to protect the privacy of citizens. It’s true that this decision only applies to Germany, but that is a major market, the biggest in the EU.

The basic argument of the Bundeskartellamt is that Facebook abused its dominant position to force users to agree to their personal data being collected and combined with similar information gathered elsewhere. The German authorities say that a “review of the data processing policies showed that Facebook has no effective justification for collecting data from other company-owned services and Facebook Business Tools or for assigning these data to the Facebook user accounts.” Also: “because of Facebook’s market power users have no option to avoid the combination of their data”, and so lose “informational self-determination.” Those are arguments that might be made elsewhere, since Facebook operates in the same way around the world.

The German competition authorities point out that “the application of European abuse control provisions is always an issue. Such an abuse control proceeding against Facebook would generally also be possible under the relevant norm of Article 102 [of the Treaty on the Functioning of the European Union]”. Article 102 says: “Any abuse by one or more undertakings of a dominant position within the internal market or in a substantial part of it shall be prohibited as incompatible with the internal market in so far as it may affect trade between Member States.” That’s pretty general. Moreover, the Bundeskartellamt mentions the following:

So far, however, only the case-law of the highest German court has been established which can take into account constitutional or other legal principles (in this case data protection) in assessing abusive practices of a dominant company. However, due to the cross-border dimension of this case, the Bundeskartellamt closely liaised with the European Commission and other competition authorities in the course of the proceeding.

That’s potentially significant. It suggests that discussions have already taken place at the EU level about whether Facebook might be abusing its dominant position in Europe, and would therefore fall foul of Article 102. Other competition authorities may also be looking to follow Germany’s example. And to add to Facebook’s future problems, the New York Times quotes Giovanni Buttarelli, the European Data Protection Supervisor, who oversees EU’s independent data protection authority that advises on privacy-related laws and policies, as saying that data protection regulators from across the region planned to discuss the case over the next few weeks. It seems clear that Facebook’s privacy woes are going to get quite a lot worse before they get better.

Glyn Moody is a freelance journalist who writes and speaks about privacy, surveillance, digital rights, open source, copyright, patents and general policy issues involving digital technology. He started covering the business use of the Internet in 1994, and wrote the first mainstream feature about Linux, which appeared in Wired in August 1997. His book, "Rebel Code," is the first and only detailed history of the rise of open source, while his subsequent work, "The Digital Code of Life," explores bioinformatics - the intersection of computing with genomics.